A cyber threat group known as 'RedCurl,' which has been involved in covert corporate espionage since 2018, has shifted tactics to include a ransomware encryptor aimed at Hyper-V virtual machines. This marks a significant evolution in their operational strategy, as they previously focused on data exfiltration from corporate networks.

RedCurl's New Ransomware Strategy

Initially identified by Group-IB, RedCurl targeted corporate entities globally, gradually expanding its reach and increasing the number of victims. Recently, Bitdefender Labs reported that RedCurl has begun deploying ransomware within compromised networks, deviating from their traditional methods.

Targeting Virtual Machines

As enterprises increasingly utilize virtual machines for server hosting, ransomware groups have adapted by developing encryptors for virtualization platforms. While many ransomware operations target VMware ESXi servers, RedCurl's new "QWCrypt" ransomware specifically attacks virtual machines hosted on Hyper-V.

  • Phishing Emails: The attacks commence with phishing emails containing ".IMG" attachments masquerading as CVs.
  • Exploitation Techniques: The IMG files exploit DLL sideloading vulnerabilities using a legitimate Adobe executable to download a payload.

QWCrypt Ransomware Details

RedCurl employs "living-off-the-land" tools to maintain stealth on Windows systems, utilizing a custom wmiexec variant for lateral movement without detection. The tool 'Chisel' is used for tunneling and RDP access, while defenses are disabled using encrypted 7z archives and a multi-stage PowerShell process.

Command-Line Features

QWCrypt supports various command-line arguments to tailor attacks on Hyper-V virtual machines:

  • --excludeVM: Excludes specific VMs from encryption to avoid network disruption.
  • --hv: Encrypts Hyper-V VMs.
  • --kill: Terminates VM processes.
  • --turnoff: Shuts down Hyper-V VMs by default.

The ransomware uses the XChaCha20-Poly1305 encryption algorithm, appending either the .locked$ or .randombits$ extension to encrypted files. It also offers intermittent encryption for increased speed.

Motivations Behind Ransomware Deployment

Bitdefender proposes two main theories regarding RedCurl's adoption of ransomware tactics. The first suggests that RedCurl acts as a mercenary group, offering services to third parties, resulting in a blend of espionage and financially motivated attacks. In some cases, ransomware may serve as a distraction or a fallback for monetizing access.

The second theory posits that RedCurl engages in ransomware operations for financial gain, preferring private negotiations over public ransom demands and data leaks. This strategic shift raises questions about their motivations and operational objectives.

The link has been copied!